The effect of data breaches on company performance

• Pages: 275-301
• DOI: https://doi.org/10.1108/IJAIM-01-2019-0006
• Published date: 27 March 2020
• Date: 27 March 2020
• Author: Ahmad H. Juma'h,Yazan Alnsour
• Subject Matter: Accounting methods/systems,Accounting & Finance,Accounting/accountancy

The ef‌fect of data breaches on

company performance

Ahmad H. Juma’h

Department of Accountancy, University of Illinois, Springf‌ield, Illinois, USA, and

Yazan Alnsour

Department of Computer Information Systems,

University of Northern Colorado, Greeley, Colorado, USA

Abstract

Purpose –This paper aims to analyzethe effect of data breaches –whose concerns and implicationscan be

legal, socialand economic –on companies’overall performance.

Design/methodology/approach –Information on data breaches was collected from online

compilations,and f‌inancial data on breached companies was collectedfrom the Mergent Online database. The

f‌inancial variables used were related to prof‌itability, liquidity, solvency and company size to analyze the

f‌inancial performance of thebreached companies before and after the data breach event. Nonf‌inancial data,

such as the type and the size of the breaches, was also collected. The data was analyzed using multiple

regression.

Findings –The results conf‌irmthat nonmandatory information related to announcements of databreaches

is a signal of companies’overallperformance, as measured by prof‌itability ratios, returnon assets and return

on equity. The study does not conf‌irm a relationshipbetween data breaches and stock market reactionwhen

measuringquarterly changes in share prices.

Research limitations/implications –The main limitation of the study relates to ratio and trend

analyses. Such analysesare commonly used when researching accountinginformation. However, they do not

directly ref‌lect the companies’conditionsand realities, and they rely on companies’releasedf‌inancial reports.

Another limitation concerns the confounding factors. The major confounding factors around the data

breaches’dates were identif‌ied;however, this was not enough to assure that other factorswere not affecting

the companies’f‌inancialperformance. Because of the nature of such events, this studyneeds to be replicated

to include specif‌ic information about the companies using case studies. Therefore, the authors recommend

replicating the research to validate the article’sf‌indings when each industry makes more announcements

available.

Practical implications –To remediate the risks and losses associated with data breaches, companies

may use their reservedfunds.

Social implications –Company data breach announcements signal internal def‌iciencies. Therefore, the

affectedcompanies become liable to their employees, customersand investors.

Originality/value –The paper contributesto both theory and practice in the areas of accounting f‌inance,

and informationmanagement.

Keywords Financial performance, Data breaches, Nonf‌inancial factors,

Number of breached records

Paper type Research paper

Declaration of interest: The authors report no conf‌licts of interest. The authors alone are responsible

for the content and writing of this paper.

Data breaches

275

Received19 January 2019

Revised20 April 2019

27June 2019

Accepted5 August 2019

InternationalJournal of

Accounting& Information

Management

Vol.28 No. 2, 2020

pp. 275-301

© Emerald Publishing Limited

1834-7649

DOI 10.1108/IJAIM-01-2019-0006

The current issue and full text archive of this journal is available on Emerald Insight at:

https://www.emerald.com/insight/1834-7649.htm

1. Introduction

Accelerated progress in communication, networks and information technologies is shaping

global business, and it is estimated to continue changing business structures for the

foreseeable future. This development has many advantages and disadvantages for all

organizations’stakeholders. Information systems management is increasingly considering

information security and privacy due to their potential critical issues for all company

activities. The magnitudeof the importance of breached data was described in the California

Data Breach Report 2012-2015(Harris, 2016) as follows:

In the past four years, the Attorney General has received reports on 657 data breaches,

affecting a total of over 49 million recordsof Californians. In 2012, there were 131 breaches,

involving 2.6 million records of Californians; in 2015, 178 breaches put over 24 million

records at risk. This means that nearly three in f‌ive Californians were victims of a data

breach in 2015 alone (p. 8).

Multinational companies rely heavily on technology and always have some technical

vulnerabilities, which means data breaches and losses are inevitable. Data is one of the

company’s most important assets,and the threat of losing data control is becoming an issue

that affects everyone. No matter whether companies establish guidelines and controls to

mitigate the risk of data breaches, hacking and phishing threats still exist. Information

security and privacy is a determining factor for companies’continuity and sustainability.

Companies are adopting several protection techniques such as system authentication, data

encryption, user access control and f‌irewalls as wellas practices that aim to minimize such

risks such as employee training and userorientation to the company’s information security

policy and protocols. Despite these measures, perpetrators are becoming more organized

and sophisticated,and the risk is growing.

There are many recent examples of companies that have suffered from major data

breaches –Equifax, Anthem, eBay, JPMorgan Chase, Home Depot, Yahoo and Target,

among others. Assessing the economic effects of data breaches is a challenge for both

accounting and information security management (Schatz and Bashroush, 2016). Research

concerning the implications of data breaches is considered an emerging area (Ghosh and

Swaminatha, 2001;Spanos and Angelis,2015, 2016). Event studies have mostly shown that

data breaches have a negative effect on cumulative abnormal returns of publicly traded

companies. However, these same studies have shown mixed results concerning the

signif‌icance of the relationship between data breaches and company value/share. Event

studies using daily share prices investigate the immediate effect of a breach. Over a longer

timeframe, Kannan et al. (2007) found no signif‌icant negative effect of information security

breaches on company value. In descriptiveand comparative studies, Ko and Dorantes (2006)

found that sales increased signif‌icantly for the breached f‌irms in the fourth quarter after a

security breach, contradicting the negative effects shown in most event studies performed

using daily share prices.

Stoel and Muhanna (2011) found that companies with information technology (IT)

weaknesses performed worse than f‌irms with no weaknesses. Data breaches indicate

def‌iciencies in internal controls –particularly IT internal controls. Companies that are

continually improving theirIT controls to avoid cyber-incidents can reduce the risk of data

breaches. However, hackers’ability to penetrate larger companies’records,such as those of

Apple, Walmart and Equifax, indicates that hackers are becoming threats even to

companies that invest heavily in IT. Brody et al. (2018) indicatethat the potentially harmful

effects of malware, whichcan be f‌inancial and nonf‌inancial,are often not well known.

To contribute to the existing literature, the goal of this article is to analyze the

intermediate (quarterly) term effect of data breaches on companies’performance by

IJAIM

28,2

276